A British computer researcher who in May stopped an outbreak of the WannaCry ransomware was arrested in Las Vegas. Marcus Hutchins was in Las Vegas attending two hacking conferences, Def Con, and Black Hat. On Wednesday he was at Las Vegas airport waiting to go back to the U.K. when U.S. Marshals stopped him.

Hutchins, 23, was arrested for his alleged role in creating and distributing the Kronos banking Trojan, according to a Justice Department spokesperson.

Marcus Hutchins. Image Credit: Frank Augstein / AP

His indictment is dated July 11, two weeks before he flew to the U.S. to attend Def Con and Black Hat, the annual security conferences.

Hutchins is apparently in FBI custody for creating the Kronos malware

Hutchins became an “accidental hero” back in May when he discovered a way to stop the WannaCry ransomware, which hit companies, hospitals, and people in over 150 countries. He registered a particular website domain included in WannaCry’s code and stopped the ransomware that had thousands of people paying bitcoins to recover their data.

The computer wizard works as a researcher in cyber security firm Kryptos Logic. Motherboard first reported the story and said Hutchins was first being held at the Henderson Detention Center in Nevada early on Thursday but was later moved to another facility, according to a friend.

The friend, whose identity was not disclosed due to privacy concerns, tried to visit Hutchins as soon as the center opened but he had already been transferred.

“I’ve spoken to the US Marshals again and they say they have no record of Marcus being in the system,” Hutchins’ friend told Motherboard. “At this point, we’ve been trying to get in contact with Marcus for 18 hours and nobody knows where he’s been taken. We still don’t know why Marcus has been arrested and now we have no idea where in the U.S. he’s been taken and we’re extremely concerned for his welfare.”

The U.S. Marshals later confirmed that the arrest was carried out by the FBI, not by them. A UK’s National Crime Agency spokesperson said they were aware that a UK national was arrested, but that it was a matter for the authorities in the U.S.

WannaCry ransom money was cashed out recently

According to a federal indictment against Hutchins and an unnamed co-defendant, the “accidental hero” (also known as @MalwareTechBlog) was arrested for his role in creating and distributing the Kronos banking Trojan. The Kronos malware program was first discovered in July 2014 and was responsible for stealing online banking credentials and credit card data.

One friend told The Verge Hutchins is currently being held in the FBI’s Las Vegas field office, although that information hasn’t been confirmed.

Screenshot of the WannaCry ransom letter. Image Credit: SecureList

The WannaCry ransomware caused damage to UK’s National Health Service and affected over 75,000 computers worldwide. A day after the ransomware appeared, Hutchins discovered a “kill switch” that disabled the virus. Coincidently, the Bitcoin wallets in which the WannaCry asked people to deposit the ransom money were cashed out earlier today.

Quartz reported that $140,000 were cashed out in several operations on Wednesday, even though experts believe the money would stay there, as law enforcement agencies are monitoring the case. According to Quartz, the money was likely sent through a Bitcoin mixer, a process in which bitcoin is transferred to hard currency while obscuring its trail. The method is the equivalent of money laundering for the digital currency.

Founder of website hosting Kronos was recently found dead

A Justice Department spokesperson clarified the charges are not related to WannaCry, just Kronos. The federal department has been looking for those involved with the Kronos malware for two years. According to the indictment, Hutchins created the malware, and then the unnamed co-defendant offered to sell Kronos for $3,000 in August 2014. In February 2015, Hutchins helped the person update the malware.

Then, in April 2015, the co-defendant offered the malware in the darknet market forum AlphaBay and sold it for $2,000 in the digital currency. AlphaBay was a notorious, infamous darknet market, which was recently defunct.

The dark web market was taken down by the U.S. Department of Justice and several international law enforcement agencies. Its founder and operator, Alexander Cazes, was arrested in Thailand on July 5 and was later found dead in his cell from an apparent suicide. Cazes had a net worth of more than $23 million, according to law enforcement officials.

“We are in contact with the local authorities in Las Vegas following the arrest of a British man, and are providing support to his family,” a UK Foreign Office spokesperson told Motherboard.

While it appears as if Hutchins is only charged for creating Kronos, law enforcement agencies have not presented any evidence yet for this claim. However, Hutchins’ Twitter activity indicates he may have been researching the malware during that period.